I installed Spiceworks and setup Network Scanning yesterday. Today my firewall logs are full of warnings of "Duplicate TCP SYN" packets from the computer I installed Spiceworks on to TCP 135 on other network computers. When I say full, I mean the log file grew 200 MB overnight where it used to grow about 20 MB. Is this common with Spiceworks?

Sorry I haven't responded sooner, I had to set this project aside for a while. What I have been able to find seems to indicate the issue is with the firewall appliance. When these warning messages were logged, Spiceworks was communicating with hosts connected via VPN. Since then I have seen similar log entries generated when other internal hosts (antivirus server pushing updates or remote desktop connections) were communicating with hosts on the VPN. Since the VPN is the common factor it's looking like a firewall issue.

7 Replies

Port 135 requests are associated with WMI, which Spiceworks uses to query for information from Windows devices on the network.

If you have 200MB worth of querys in the firewall's log, I would guess the timestamps would correspond with a scheduled network scan being done by your Spiceworks installation.

Can you disable monitoring of port 135 requests from the Spiceworks computer to prevent the logging? Or does this "Duplicate TCP SYN" message imply there is some kind of error or improper communication occurring?

I realize now I should have given more information about the warning. The actual warning message is "Duplicate TCP SYN from (source address) to (target address) with different initial sequence number".

Cisco explains this warning as, "A duplicate TCP SYN was received during the three-way-handshake that has a different initial sequence number than the SYN that opened the embryonic connection. This could indicate that SYN's are being spoofed."

As you stated in your post, Spiceworks uses port 135 to gather information so that would justify the communication to port 135. However, the different inital sequence numbers are what I find concerning.

I think as long as all of these requests are coming from the Spiceworks computer they will be safe (if the Spiceworks computer can be trusted to not be compromised).

It seems possible that the multiple TCP SYNs could be the result of Spiceworks trying to initiate multiple WMI connections in rapid succession (which would not be surprising during a scan, which is an attempt to rapidly collect a large amount of information from the remote device).

Sorry I haven't responded sooner, I had to set this project aside for a while. What I have been able to find seems to indicate the issue is with the firewall appliance. When these warning messages were logged, Spiceworks was communicating with hosts connected via VPN. Since then I have seen similar log entries generated when other internal hosts (antivirus server pushing updates or remote desktop connections) were communicating with hosts on the VPN. Since the VPN is the common factor it's looking like a firewall issue.

At the time, the firewall had the most current firmware. My guess is that the problem is related to AnyConnect using DTLS (Datagram Transport Layer Security). I did find a Cisco FAQ that suggested turning off DTLS to eliminate the "Duplicate TCP SYN" messages, but warned it could negatively affect VPN throughput speeds. After consulting our friendly CCIE at our support vendor, we decided to stop logging this message using the "no logging message 419002" command. When (or should I say if) I have time in the future, I'll start logging that message again to see if I can find a true solution. Until then, I'm just satisfied that the log files aren't exploding.